Beruflich Dokumente
Kultur Dokumente
Security
Chapter Overview
This opening chapter establishes the foundation for understanding
the broader field of information security. This is accomplished by
defining key terms, explaining essential concepts, and reviewing the
origins of the field and its impact on the understanding of information
security.
Chapter
Objectives
Security
The need for computer security, or the need to secure the physical
location of hardware from outside threats, began almost immediately
after the first mainframes were developed.
Groups developing code-breaking computations during World War II
created the first
modern computers.
At this stage, the concept of computer security evolved into the more
sophisticated
system we call information security.
MULTICS
Much of the focus for research on computer security centered on
a system called MULTICS (Multiplexed Information and Computing
Service).
In mid-1969, not long after the restructuring of the MULTICS project,
several of the key
players created a new operating system called UNIX.
While the MULTICS system had planned security with multiple security
levels and
passwords, the UNIX system did not.
In the late 1970s, the microprocessor brought in a new age of
computing capabilities
and security threats as these microprocessors were networked.
The 1990s
At the close of the 20th century, as networks of computers became
more common, so too did the need to connect the networks to each
other. This gave rise to the Internet, the first manifestation of a global
network of networks.
There has been a price for the phenomenal growth of the Internet,
however. When
security was considered at all, early Internet deployment treated it as a
low priority.
As the requirement for networked computers became the dominant
style of computing, the ability to physically secure the physical
computer was lost, and the stored information became more exposed
to security threats.
The Present
Today, the Internet has brought millions of unsecured computer
networks into
What is Security?
In general, security is the quality or state of being secureto be free
from danger. It means to be protected from adversaries, from those
who would do harm, intentionally or otherwise.
A successful organization should have the following multiple layers of
security in place
for the protection of its operations:
Physical security to protect the physical items, objects, or areas of
an organization
from unauthorized access and misuse
Personal security to protect the individual or group of individuals
who are
authorized to access the organization and its operations
Operations security to protect the details of a particular
operation or series of
activities
Communications security to protect an organizations
communications media,
technology, and content
Network security to protect networking components,
connections, and contents
Information security to protect information assets
Information security, therefore, is the protection of information and its
critical elements, including the systems and hardware that use, store,
and transmit that information. But to protect the information and its
related systems from danger, tools, such as policy, awareness,
training, education, and technology, are necessary.
The C.I.A. triangle has been considered the industry standard for
computer security since the development of the mainframe. It was
solely based on three characteristics that described the utility of
information: confidentiality, integrity, and availability. The C.I.A.
triangle has expanded into a list of critical characteristics of
information.
Components
The
Systems
Development Life
Cycle
Analysis
The analysis phase begins with the information learned during the
investigation phase. This phase consists primarily of assessments of
the organization, the status of current systems, and the capability to
support the proposed systems.
Analysts begin to determine what the new system is expected to do
and how it will interact with existing systems. The phase ends with
the documentation of the findings and a feasibility analysis update.
Logical Design
In the logical design phase, the information gained from the analysis
phase is used to
begin creating a solution system for a business problem.
Then, based on the business need, applications capable of providing
needed services are selected. Based on the applications needed, data
support and structures capable of providing the needed inputs are
selected.
Finally, based on all of the above, specific technologies are selected to
implement the
physical solution. In the end, another feasibility analysis is performed.
Physical Design
During the physical design phase, specific technologies are selected to
support the
alternatives identified and evaluated in the logical design.
The selected components are evaluated based on a make-or-buy
decision (develop in-
house or purchase from a vendor).
Final designs integrate various components and technologies.
After yet another feasibility analysis, the entire solution is presented to
the end-user
representatives for approval.
Implementation
Even though formal development may conclude during this phase, the
life cycle of the project continues until it is determined that the process
should begin again from the investigation phase. When the current
system can no longer support the changed mission of the organization,
the project is terminated and a new project is implemented.
Securing
the Systems Development Life Cycle
Each of the phases of the SDLC should include consideration of the
security of the system being assembled as well as the information it
uses. Such consideration means that each implementation of a
system is secure and does not risk compromising the confidentiality,
integrity, and availability of the organizations information assets.
NIST recommends that organizations incorporate the associated IT
security steps of
the included general SDLC into their development processes. (See
textbook pages 23-
25) It is imperative that information security be designed into a system
from its
inception, rather than added in during or after the implementation
phase.
Organizations are moving toward more security-focused development
approaches, seeking to improve not only the functionality of the
systems they have in place, but the confidence of the consumer in
their product.
Security Systems
Development Life
Cycle
Professionals
and
the Organization
5.
What are the three components of the CIA triangle? What are
they used for?
6.
If the C.I.A. triangle is incomplete, why is it so commonly used
in security?
7.
Describe the critical characteristics of information. How are
they used in the
study of computer security?
8.
9.
In the history of the study of computer security, what system is
the father of
almost all multi-user systems?
10.
What paper is the foundation of all subsequent studies of
computer security?
11.
How is the top down approach to information security superior
to the bottom up
approach?
12.
13.
Who is involved in the security development life cycle? Who
leads the process?
14.
How does the practice of information security qualify as both an
art and a
science? How does security as a social science influence its
practice?
15.
Who is ultimately responsible for the security of information in
the organization?
16.
What is the relationship between the MULTICS project and early
development of
20:
Who should lead a security team? Should the approach to
security be more
managerial or technical?